Communication To Uncommon Destination Ports
Detects programs that connect to uncommon destination ports
Sigma rule (View on GitHub)
1title: Communication To Uncommon Destination Ports
2id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
3related:
4 - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
5 type: similar
6status: test
7description: Detects programs that connect to uncommon destination ports
8references:
9 - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
10author: Florian Roth (Nextron Systems)
11date: 2017-03-19
12modified: 2024-03-12
13tags:
14 - attack.persistence
15 - attack.command-and-control
16 - attack.t1571
17logsource:
18 category: network_connection
19 product: windows
20detection:
21 selection:
22 Initiated: 'true'
23 DestinationPort:
24 - 8080
25 - 8888
26 filter_main_local_ranges:
27 DestinationIp|cidr:
28 - '127.0.0.0/8'
29 - '10.0.0.0/8'
30 - '172.16.0.0/12'
31 - '192.168.0.0/16'
32 - '169.254.0.0/16'
33 - '::1/128' # IPv6 loopback
34 - 'fe80::/10' # IPv6 link-local addresses
35 - 'fc00::/7' # IPv6 private addresses
36 filter_optional_sys_directories:
37 Image|startswith:
38 - 'C:\Program Files\'
39 - 'C:\Program Files (x86)\'
40 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42 - Unknown
43level: medium
References
-
1 Dest PortCount 1Count 2Level False Positive Condition Positive ConditionComment / SourceSandbox Analyses LinkSpeedguide Link 2 3369-1highNetwire http://www.speedguide.net/port.php?port=3369 3 876...
Read More
Related rules
- Potentially Suspicious Malware Callback Communication
- Potentially Suspicious Malware Callback Communication - Linux
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- New Outlook Macro Created